Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Apple Fixes Flaw Impacting HomeKit Devices

Apple said it has fixed an undisclosed vulnerability in its HomeKit framework that could have allowed unauthorized remote control of HomeKit devices such as smart locks and connected garage door openers.

Apple said it has fixed an undisclosed vulnerability in its HomeKit framework that could have allowed unauthorized remote control of HomeKit devices such as smart locks and connected garage door openers.

The flaw was first reported by the publication 9to5Mac on Thursday. According to the publication, the vulnerability requires an iPhone or iPad running the latest iOS 11.2 that is linked to the HomeKit user’s iCloud account.

The write-up on the vulnerability is vague and does not state what the specific vulnerability is, only that it was demonstrated to the publication and that it is complex to exploit.

HomeKit is Apple’s software framework for smart-home appliances that lets iPhone and iPads users communicate with and control dozens of compatible third-party HomeKit-enabled devices.

Apple said in a statement:

“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

According to the publication, the temporary fix disables the server-side remote access component of HomeKit used to share access to other users.

“We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week,” reported 9to5Mac.

This isn’t the first issue Apple has had with iOS 11, released in September. There have been several subsequent updates to the iOS that addressed an autocorrect bug, the KRACK vulnerability and fixes for a slew OF regular maintenance updates. The iOS 11.2 update, released last week, addressed multiple memory corruption issues and a restart bug that caused some iOS devices to unexpectedly restart, according to Apple.

None of the issues are as severe as the security flaw in macOS High Sierra operating system found last month that allowed admin access to computers simply by putting “root” in the user name field.

The Apple HomeKit fix come as more pressure is put on IoT device makers to focus on shoring up device security and reliability. It’s also not the first time a keyless door system has caused owners headaches.

In May, the New York Attorney General Eric Schneiderman settled with Safetech Products over the sale of insecure Bluetooth door and padlocks. The issue was tied to Safetech sending clear text passwords via Bluetooth between the locks and the user’s smartphone. A botched wireless update for a remotely accessible smart lock system made by LockState accidentally bricked hundreds of locks in August. And last year, SecuRing warned a growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems are vulnerable to man-in-the-middle attacks.

9to5Mac reports the vulnerability is not related to any specific HomeKit product, but instead the framework.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.